Meraki Community

One of our vendors sent us a VPN concentrator and what I need to do is somehow route or forward internally 198.19.x.x to 192.168.0.243 (which is where the concentrator lives).

198.19.x.x/16 is the destination subnet? Then you just create a static route for 198.19.x.x/16? to 192.168.0.243

Or is 198.19.x.x your source subnet?

198.19.x.x is the destination

Well, you will have to create a link (a transit VLAN)between this hub and the router you have on your network.

That's why I asked for a topology to understand how your network is logically.

Having this link, simply create a static route to 198.19.x.x pointing to 192.168.0.243 as the next hop.

It's a pretty basic routing to be honest.

I built 1:1 NAT and that works for me, I can connect to the concentrator, at least at the hub the concentrator is installed at.  I can't connect to it from site-to-site spokes and 1:1 NAT rules won't work there since it's not the same subnet.

Dude, seriously, can you share a topology? It will help a lot with understanding.

Your explanation is confusing.

When I have time to edit my Visio so I can share it publicly, I will.

1:1 NAT is used for access from outside to inside, so it won't work if you are trying to access via the VPN tunnel, you have to route it in such a way that you can inject the route into the VPN tunnel.

It's working;

Here's the NAT rule:

Here is me successfully connecting to it:

I'm not saying it won't work, but it won't work via a VPN tunnel, but directly over the internet.

Anyway, I don't know if it's a good idea to leave it exposed to the internet.

That's what I thought, build a static route, but when I go to Security & SD-WAN -> Routing, it shows me this...

Unless that is the wrong place to get it.

What I did is set up a 1:1 NAT rule where the 198 (which is an non-routeable address) points to the VPN concentrator at .243; and it works, it resolves... what I need to figure out now, is how to make that work at other locations that are site-to-site VPN to the MX; at those locations it doesn't allow me to build 1:1 NAT rules, and it also won't let me create a static route (see above).

Static routes are made on the Addressing & VLANs page.

I built a route like so:

It won't let me save it, it tells me that "static lan route has an invalid next hop IP.  The IP address is not on a configured subnet."

192.168.0.x is connected via site-to-site VPN

That's what I'm trying to tell you, there's no way to create a route without having the subnet configured in the MX.

Therefore, a topology would help a lot in suggesting a solution.